Skipfish Security Scanner for Web Apps

Google's online security teams has come out with a free security scanner for web apps, named Skipfish.

The command line tool acts as Web crawler and prepares an interactive sitemap for the targeted site. The Web app is then subjected to a number of nondisruptive security probes, such as for cross-site scripting (XSS), cross-site request forgery (XSRF) and server-side SQL injection. The software can probe websites developed under multiple technologies and frameworks.

Skipfish is written in C and, according to its developers, shows great performance: Internet requests can produce over 500 responses per second, LAN/MAN requests over 2,000 responses and local requests over 7,000 responses per second. The developers implemented a custom HTTP stack for Skipfish.

The Skipfish developers indicate that their tool digs up many relevant security vulnerabilities, but not all. As with many security scanners, permission to test the website is the prerequisite, unless you own it outright.

Skipfish is open source software under Apache 2.0 licensing. The Google Code site has its own Skipfish page, with downloads of a source tarball and online documentation.